12 releases (breaking)

0.10.1 Jul 1, 2024
0.9.0 Apr 3, 2024
0.8.0 Feb 5, 2024
0.7.0 Dec 12, 2023
0.1.0 Dec 1, 2022

#402 in Cryptography

Download history 1989/week @ 2024-07-27 1313/week @ 2024-08-03 803/week @ 2024-08-10 1225/week @ 2024-08-17 868/week @ 2024-08-24 1027/week @ 2024-08-31 895/week @ 2024-09-07 726/week @ 2024-09-14 587/week @ 2024-09-21 571/week @ 2024-09-28 430/week @ 2024-10-05 983/week @ 2024-10-12 496/week @ 2024-10-19 532/week @ 2024-10-26 356/week @ 2024-11-02 346/week @ 2024-11-09

1,957 downloads per month
Used in 5 crates

MIT/Apache

1MB
29K SLoC

decaf377

Crates.io

Many zero-knowledge protocols require a cryptographic group that can be used inside of an arithmetic circuit. This is accomplished by defining an “embedded” elliptic curve whose base field is the scalar field of the proving curve used by the proof system.

The Zexe paper, which defined BLS12-377, also defined (but did not name) a cofactor-4 Edwards curve defined over the BLS12-377 scalar field for exactly this purpose. However, non-prime-order groups are a leaky abstraction, forcing all downstream constructions to pay attention to correct handling of the cofactor. Although it is usually possible to do so safely, it requires additional care, and as discussed below, the optimal technique for handling the cofactor is different inside and outside of a circuit.

Instead, applying the Decaf construction to this curve gives decaf377, a clean abstraction that provides a prime-order group, complete with hash-to-group functionality, and works the same way inside and outside of a circuit.

More details are available on the Penumbra website.

Features

  • std: default, for use in std environments,
  • alloc: default, for use in alloc environments,
  • arkworks: default, uses Arkworks crates for elliptic curve operations,
  • u32_backend: uses 32-bit finite field arithmetic (default is 64-bit),
  • r1cs: enables rank-1 constraint system gadgets,
  • parallel: enables the use of parallelism.

Benchmarks

Run criterion benchmarks using:

cargo bench

This will generate a report at target/criterion/report/index.html.

Dependencies

~0.1–1.8MB
~32K SLoC